Hola buen día.

Estoy estableciendo un tunel gre con ipsec.

Quiero agregar una ACL a la interfaz tunel, pero cuando agrego el crypto map a la interfaz tunnel se cae la vpn.

y si agrego el ACL a las interfaces fisicas no realizan el filtrado de las ip´s.

Como podría solucionar esto?

Agrego sh run de los routers

Router 1:

Building configuration...

Current configuration : 1753 bytes
!
! Last configuration change at 15:28:14 UTC Wed Oct 7 2020
!
version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 10
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
cts logging verbose
license udi pid CISCO881-SEC-K9 sn FTX1804817N
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
lifetime 3600
crypto isakmp key 123 address [a] no-xauth
!
!
crypto ipsec transform-set AES256-SHA512 esp-aes 256 esp-sha512-hmac
mode transport
!
crypto ipsec profile TO-MTY
set transform-set AES256-SHA512
set pfs group14
!
!
!
crypto map vpn-map 50 ipsec-isakmp
set peer [a]
set transform-set AES256-SHA512
set pfs group14
match address VPN-MTY
!
!
!
!
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
tunnel source [b]
tunnel destination [a]
tunnel protection ipsec profile TO-MTY
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address [b] mask
ip access-group VPN-MTY in
duplex auto
speed auto
!
interface Vlan1
no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 192.168.1.0 255.255.255.0 192.168.1.2
!
ip access-list extended VPN-MTY
permit ip 10.26.0.0 0.0.255.255 10.24.0.0 0.0.255.255
!
!
!
control-plane
!
!
vstack
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input none
!
!
end

Router 2:

Building configuration...

Current configuration : 1986 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
ip cef
!
!
!
!

!
!
!
!
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO892-K9 sn FGL180321A3
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
lifetime 3600
crypto isakmp key 123 address [b] no-xauth
!
!
crypto ipsec transform-set AES256-SHA512 esp-aes 256 esp-sha512-hmac
mode transport
!
crypto ipsec profile TO-CEL
set transform-set AES256-SHA512
set pfs group14
!
!
!
crypto map vpn-map 50 ipsec-isakmp
set peer [b]
set transform-set AES256-SHA512
set pfs group14
match address VPN-CEL
!
!
!
!
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
tunnel source [a]
tunnel destination [b]
tunnel protection ipsec profile TO-CEL
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
ip address [a] mask
ip access-group VPN-CEL in
duplex auto
speed auto
!
interface Vlan1
no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 192.168.1.0 255.255.255.0 192.168.1.1
!
ip access-list extended VPN-CEL
permit ip 10.24.0.0 0.0.255.255 10.26.0.0 0.0.255.255
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
!
end